Hacker News new | past | comments | ask | show | jobs | submit login

Why do I keep seeing Heartbleed and Shellshock mentioned in articles specifically about Linux security? Those two vulnerabilities had nothing to do with Linux.

Software using OpenSSL or bash on any platform were vulnerable. That includes Macs and Windows.

Linux is extremely popular for servers and embedded systems where OpenSSL and bash are common but bringing them up every time "security + Linux" are discussed is a bit like talking about tires that blow out whenever the topic of logistics comes up.




So by that logic, it is unfair to criticise flash and or Java as Windows security issues?

It seems like Linux people want to shift the definition of "Linux" between only the kernel and the entire OS when it is convenient. In this case we're shifting down the definition to "kernel only" so we can avoid talking about Linux (the OS's) potential security issues.

Heartbleed and Shellshock are Linux (OS) issues. Just because that same software may ship on BSD and OS X is entirely irrelevant. Linux was still by far the largest target (just like Windows is the largest target of cross-platform Java vulnerabilities).

Linux as a kernel is pretty freaking secure. Linux as an OS has a lot of issues, and many (most?) popular distributions are a large part of why (e.g. SELinux is often disabled by default and a lot of packages are incompatible, a lot of services run as root by default, a lot of packages are installed by default (not the minimum), etc).


> So by that logic, it is unfair to criticise flash and or Java as Windows security issues?

Uh, yes. They are not Windows security issues.

> Heartbleed and Shellshock are Linux (OS) issues.

No they were not. Run OpenSSL on Windows and you were just as vulnerable to Heartbleed, same as if you ran bash as a CGI service on Windows, or OSX or BSD or VMS or ...

> shift the definition of "Linux" between only the kernel and the entire OS when it is convenient.

No they don't, Linux the OS makes sense in some circumstances, not in others, this is one of those times where it doesn't since we're talking specifically about Linus' work.


> Why do I keep seeing Heartbleed and Shellshock mentioned in articles specifically about Linux security?

Because they're big, popular, well known names that effect software that typically runs on Linux systems so everyone goes "mm yep, that was a big Linux issue.'

The Linux kernel has issues, but you're not making your case that Linus doesn't take things seriously when your examples have nothing to do with Linus' work.


For the same reason you see X and Vim being referred to as Linux software.


Yep, the discussion should've been about kexec and secureboot.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: